[secdir] Re: Secdir last call review of draft-ietf-mpls-spring-inter-domain-oam-14

Shraddha Hegde <shraddha@juniper.net> Thu, 16 May 2024 05:07 UTC

From: Shraddha Hegde <shraddha@juniper.net>
To: Chris Lonvick <lonvick.ietf@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-mpls-spring-inter-domain-oam-14
Thread-Index: AQHapurP2+5zTNCIEUa5hN2sWgf0erGZQ4rQ
Date: Thu, 16 May 2024 05:07:18 +0000
Message-ID: <CO1PR05MB8314B3F3DDC2D01F9D19638AD5ED2@CO1PR05MB8314.namprd05.prod.outlook.com>
References: <171579303227.9312.12016625306842233074@ietfa.amsl.com>
In-Reply-To: <171579303227.9312.12016625306842233074@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=6b2060c5-9189-464e-94ee-a12d0e13e39c;MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=0;MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true;MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard;MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755;MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2024-05-16T04:22:39Z;MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR05MB8314:EE_|PH0PR05MB9774:EE_
x-ms-office365-filtering-correlation-id: 1cb967d5-0a21-41f4-e974-08dc75660f2e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230031|366007|1800799015|376005|38070700009;
x-microsoft-antispam-message-info: RkaZVRwYy1ffBRaCZQpSzMv5+zhsdjfgotOyxxgkqp1lzbjt7kJdUkAgxnQDyLkQw3Kjqen/aMedMmZ/IMx03Deeqa67k4I3jCJlIifDqEEseuA6gOv8b9kbPoff9GxjgQ8xGvNsZ4KQLTXyOtcU/Nd7Tz4unzz4semT30GUhVQ/qL8yuEwWC7Z4KomsrBEp3/D2oaP78MPdAl4SJvmSQkpmXygl1Mq+oocUFTwgz/eBG4970ETR1EcfwxVA8tdqzex8UISqH83r3c9ZikbFX/Kh1A0WGLRMB4tz18Dx9nFWNkjlDMG5JpJYvn+pFEdh3TZzk2Kjxa8J18yaRkvljnbkAV6eMhTgQvkkm3cg3HYLLH2UVHWg1ZUdWbGnw94QScWS7pnEOQ4A9d7yqQqCz+ohKFkGlypMPfwKHbsJnuKkIFksNECX0z/kUEuPBx2bCjGD+PWTu+44C8DIlPZGs13aYA+BBIa5lbU53Xh/a3B3DGdfi+XxDr36fIx9MfS59VC/6bcrKZGhQLm6si4sW796uYBPp/JybM7EvmLhRc3aKi3n/43MMOjv2LaieaXW6x+I4929houUMIsMDyEFKPB2hC4E21Z7G9qj1yJM+phI1SGR084vK6JjU0IzDeaZCj93B9RIbSEE3fHZuJwEpxhy04UaJwuST9LjORVTsbjpczwuAaWDjogCdevsF4m/gWAvOIGYlgA1WcyiQ1BH4CWnHE6DJXPrSwIBecPPrsNHPCthrY01yzbq1tZmHgoE+zXukr5Fic5nn9Kv/J8EVTLftkQMFGLsG4k2wZ/1o3qQME/6VuY23foxlGvUJN7kpSISKHjMAiaRSfe5rb4AtW1im2DWoeex4OPc3v5UVC/8gtKwFfC3koPl2L7l2CJT3dIFtIDLMrBILAGtt+FJrgh7pXVEqLhV9ctf+dJGoWF0IEq34ZH8gqYo3Hmy6Zbg0bodAJhZdH5yc4zP+/vYaljN7nrWE61WW9UkOBtVZEvL3GO9F3HPdcdbkzr21ZKaFBBvk/yh49XjBdsoHD3wTJUTYqQHvQF9ksi0n1GosqNi2YmgM+B975GJd4Qq2xVnWZyfPLMD3QNND70jRbnlmazDc3fZZisDNGtmyDvt704i+wo0TRHBeYOy2LKReTRAsiv0r+WMaVpVMeaQ0i8gfess9jpWSqpVIMB5IPD+W1zX7/5506JAEJxPdRYyHGRPmaRWufQpI7R7EyqJFYl76UypliyIr4kdD6szLISjzbE0nZd04eCZPj4WDuSisGpWwdR9WqRGo3MW2w8gZtdYdq0b/JHwH1py4rzvFCcoGxoL6PSMctKElH7danYDlL0+uNKlpHIsiYRjqo+fAC3pDA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR05MB8314.namprd05.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366007)(1800799015)(376005)(38070700009);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: m9HzGE7ZNrwf1NyV8KeM1VdETrTLiD4bnoxnLOKkuNgyx9hFhNj9mH+99YOh3+zjvVJg97kGpaQUGI6ScD6RJ7Jz2oNlo8vy/6zP4+LEBSxc2Bc3lQrWUJQBbLjy+0GeOBLXhEczvth9sUUrX4leBxncIlzQit0AndOD67wm06hAZ10cDp+4C+J7VxyWctcaBGqz2X2ng/MSmVb26sqUBeWBRS3e0aJqbPogZ3zHcJzljW+G7HDw6JCYWY0Vieo9zbqInCsUaOPtOtVNymqPgMs5FT85zw4lAmrolsA5RNT00qQ0nFxnQRf9jy1/yXGKYtu0119B5fCQebeIxh/eg1EGmiePbkENNnfVG5+979H0Kh45kSIVf7zlRoT9PNp3D+BAolILiJIOw1eIwvWgcxfyvq2nbCbd2ez6NKxlvNx1jSXGpb+/XC8Ihyd3uV+6K9qwhzoJKemzO8+7gWO28+IVRRr+ixjMY/EDiehiXxe8GXtiNeWcIvwQ/rNQ9VRfXi7ghS1WCe/30JbMFbf1r5n426nox/ubzSSf9JM7bX1XbDqR4mOL58cUFfftzHhs/ne6LBnxJ3QVUmxNSSVswguGZu34fm4zSh6IuBJGgrkug7sWuHpEmyDgUibdSpampjdNe4uHkJg5Fay1WIDBaDtxGuFkask5ROD3xD3LWhc+m14GAMOHwqEV/NUhtqWzgaJH/dvZIjafPD8CgZoqjhSE2i+xpYWZbD323gzTPkV3Kgsr889yCdy3hNpL3WYZEt7BdNM6zD8Se9tWU6p325yMQ5SC576PhFV/cHdqDpWa+v6v+O59XnElNlJcFXNHut2wBSkIFuLhbnRVwwHAkE1pkGxOfn6ugRh/jGvpCIvq2z2GLWvPaXvwLRcYi3miahCTWCNHOw6JFJRoL336IExBTLchqsRMr8jLGqqevZMPzKG+f4luASLQYWW1HBFJATAtWdaPDFgXtk153TciYUCuKwemXEl8zc9sz2wh8P28FpRkPq8YHOPa0L2o/Hy1+XhxCyRW9B4LQzlmFr53C1h8AU72rZcZXClliELog2rUFwExzDQ33968VP9ZOrsFszGpxOwpHxSXOW8dHjFMkEAKDB0UMPhaRmdSVwyV+/uygU5cTd8V9U+MIfN1JNq0lVXlon9ZxxBf+QPTNNPgCCB7a9XZltlsdJJJuyjnv/m3Jrb+cNEgAylzkKz9VyVSWpbf0n0ffp5k2wxswC9MeYe3tBJnh2d4B9BdXh52Ds0brnXcsT1lmSaBaweVrAMPdM46IwX523ZaUH3qADyCtXl3PiQLHrJdZkoQRzylV7xjEPzMbLY/9G8pxcrJPwGohgHlJaxwHnP/soPjs2kyw7D/s8aqjmKTELXoLpahMNHw7BxttreMAMPf9sndIkazgsTGZTG+E/LXSJbpBNwn4zihHopn8A+/XXQDWhh3yQMTVZaUEKZ35N+2r0SBGnLuUjLSW417iu6INqd+2jP594IrWnLI5omthdbkiHEfEpoARHxNLshwxo1pmyjgld1iaJwfYsobOxWuYEwjpEuvCkdBcqgNG7B7yXbvimNaQtBDwS6zoqMKfW3BTpcZcsRi
Content-Type: text/plain; charset="utf-7"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR05MB8314.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1cb967d5-0a21-41f4-e974-08dc75660f2e
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 May 2024 05:07:18.1215 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Okgmfa8Bi7ZUtoctnngO80Cro+XGf/PLOMopfPGibtkvdI2uQniJWGoMur3aEXORNVzJYfZsbq8mM7j7twhctw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR05MB9774
X-Proofpoint-ORIG-GUID: RiOYyMflCP3RZ2yGBoxGvejVL6PLPX6M
X-Proofpoint-GUID: RiOYyMflCP3RZ2yGBoxGvejVL6PLPX6M
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.11.176.26 definitions=2024-05-16_01,2024-05-15_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 phishscore=0 mlxscore=0 lowpriorityscore=0 bulkscore=0 adultscore=0 malwarescore=0 impostorscore=0 suspectscore=0 priorityscore=1501 mlxlogscore=999 clxscore=1011 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2405010000 definitions=main-2405160033
Message-ID-Hash: 4VDEYSHZWXJ3KY5AXLH5FEGWR3L77F2S
X-Message-ID-Hash: 4VDEYSHZWXJ3KY5AXLH5FEGWR3L77F2S
X-MailFrom: shraddha@juniper.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-mpls-spring-inter-domain-oam.all@ietf.org" <draft-ietf-mpls-spring-inter-domain-oam.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "mpls@ietf.org" <mpls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: Secdir last call review of draft-ietf-mpls-spring-inter-domain-oam-14
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/FaG1FFf-5wREtyQ9K35AwxccKwg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

Hi Chris,

Thanks for the review.
Pls see inline <SH> for replies.
Version -15 will address your comments.

Rgds
Shraddha


Juniper Business Use Only
-----Original Message-----
From: Chris Lonvick via Datatracker <noreply@ietf.org>
Sent: Wednesday, May 15, 2024 10:41 PM
To: secdir@ietf.org
Cc: draft-ietf-mpls-spring-inter-domain-oam.all@ietf.org; last-call@ietf.org; mpls@ietf.org
Subject: Secdir last call review of draft-ietf-mpls-spring-inter-domain-oam-14

[External Email. Be cautious of content]


Reviewer: Chris Lonvick
Review result: Ready

Hi,

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

The summary of the review is Ready.

The day job has me going and I wasn't able to spend as much time with this that I would have preferred. However, I found it to be understandable and well thought-out.

I would like the Security Considerations section to include a more direct reference to RFC 8029 rather than just saying an implementation should have filter policies. Perhaps add the same paragraph that is used in the Security Considerations of RFC 8287 as a new paragraph.
<SH>Added above statement to last paragraph
All the security considerations
   defined in [RFC8029] will be applicable for this document

 Also, I think that the reference to MACsec should use a RECOMMENDED rather than a "suggested".
<SH> Ok fixed as below
An operator MUST deploy appropriate filter policies
    as described in [RFC8029] to restrict the LSP ping/traceroute packets based on origin.
    It is also RECOMMENDED that an operator deploy security mechanisms such as MACsec
    on inter-domain links or security-vulnerable links to prevent spoofing attacks.


I did see some nits in the document. Unfortunately, I didn't record them. I can point out the last sentence of the Security Considerations section needs some work. It currently has, "the network devices MUST have mechanisms to prevent of Denial-of-service attacks" Either delete the "of" or change it to "for the prevention of".
<SH> Fixed this one as well as other nits. Thanks for pointing out.

Best regards,
Chris

[secdir] Secdir last call review of draft-ietf-mp… Chris Lonvick via Datatracker
[secdir] Re: Secdir last call review of draft-iet… Shraddha Hegde